No, a parameterised query doesn’t just drop the parameter values in to the query string, it supplies the RD
……本2文来源gaodai.ma#com搞##代!^码@网3
搞代gaodaima码BMS with the parameterised query and the parameters separately. But such a query can’t have a table name or field name as a parameter. The only way to do that is to dynamically code the table name into the query string, just as you have already done. If this string is potentially open to attack you should validate it first; such as against a white list list of allowable table
搞代码网(gaodaima.com)提供的所有资源部分来自互联网,如果有侵犯您的版权或其他权益,请说明详细缘由并提供版权或权益证明然后发送到邮箱[email protected],我们会在看到邮件的第一时间内为您处理,或直接联系QQ:872152909。本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:php的mysql_prepare不能使用表明一类级作为参数
转载请注明原文链接:php的mysql_prepare不能使用表明一类级作为参数
